To register, please purchase your training ticket
here. Training and conference are two separate ticket purchases.
APIs are the backbone of modern applications—but they also introduce unique security risks. In this hands-on training, participants will deep-dive into API security threats using a "Bad, Better, Best" approach.
• Review real-world insecure APIs and step through progressive security improvements
• Work hands-on with OWASP DevSlop Pixi intentionally vulnerable API, 42Crunch IDE Plugin, and Semgrep to find, fix, and prevent API vulnerabilities
• Master the OWASP API Security Top Ten through guided code reviews and hands-on exercises
• Learn best practices for API security hardening, authentication, and monitoring
By the end of this session, participants will have the skills and tools to secure APIs with confidence using industry best practices.
Course SyllabusAPI Security and Hardening – Hands-On
8:30 AM - 9:00 AM: Morning Coffee & Recap
• Overview of the day’s agenda and welcome
9:00 AM - 10:30 AM: Understanding API Threats (Guided Code Review: "Bad, Better, Best")
• Deep dive into each of the OWASP API Security Top Ten 2023 (Items 1-5)
• Lecture for each item on how it works, risks and mitigations
• Guided code review in VS Code:
o Bad: Reviewing an API without any defences for each of #1-5
o Better: Improving API security with one defence per example
o Best: Implementing multiple defences, for each of items #1-5
10:30 AM - 10:45 AM: Coffee Break
10:45 AM - 12:15 PM: Advanced API Threats & Tanya’s Special List (Guided Code Review: "Bad, Better, Best")
• Overview of OWASP API Security Top Ten (Items 6-10)
• Lecture for each item on how it works, risks and mitigations
• Guided code review in VS Code:
o Bad: Reviewing an API without any defences for each of #6-10
o Better: Improving API security with one defence per example
o Best: Implementing multiple defences, for each of items #6-10
12:30 PM - 1:30 PM: Lunch Break
1:30 PM - 2:45 PM: API Security Best Practices (Interactive Discussion & Tools Overview)
• Trainer’s special list of threats to APIs (not on the top ten)
• API Best Practices (lecture and examples) (PDF Cheat sheet provided)
• Exploring free & open-source API security tools (PDF summary provided)
2:45 PM - 4:30 PM: Hands-On API Hardening Exercise
• Participants download & open OWASP DevSlop Pixi API in VS Code
• Install 42Crunch and Semgrep IDE plugins, make accounts
• Step-by-step security improvements:
o Finding API flaws using Semgrep & 42Crunch Plugin
o Fixing as many issues as we have time for
4:30 PM - 5:00 PM: Course Wrap-Up and Q&A
• Recap of key API security takeaways
• Open Q&A session for deeper technical discussions
